HIPAA

Revisions made last year to the Health Insurance Portability and Accounting Act (HIPAA) have left many healthcare workers wondering what new responsibilities they’re required to take on.

“I started Seacrest DocSecurity because I noted the confusion, the complexity and the lack of understanding that most doctors were dealing with,” says Arnold Rosenbaum, MD., CEO of Seacrest DocSecurity. He is a practicing vascular surgeon and has created a full-service HIPAA compliance company that offers insurance against HIPAA-related mistakes and claims. “We start from the beginning and do a gap analysis, then offer training for privacy security code sets,” Rosenbaum says. The company partners with other businesses to offer physical security, background checks and connectivity security. The company also offers smaller fixes, such as computer privacy screens.

After the remediation of weaknesses found in the gap analysis, Rosenbaum’s company provides a certification that allows for liability insurability. “That’s because malpractice insurance policies don’t cover [violations of HIPAA], and general liability policies don’t cover this. There’s an exclusion for state- and federally mandated regulations in general liability policies,” he points out.

When Rosenbaum began researching the idea of a HIPAA consultant firm, he discovered that the largest insurance company in the country was providing insurance for protected health information transmission for HMOs and Blue Cross entities, but not for smaller hospitals, surgery centers and doctor’s offices. “It wasn’t available, and you couldn’t purchase it,” he recalls. “I sat down with the underwriter and a couple of our partner companies, and we structured a package that would allow for insurability.”

Asked how far healthcare facilities have come in adhering to the new HIPAA regulations, Rosenbaum says, “This is just in its infancy; the lawsuits have just begun! There were 15 or 16 lawsuits filed since April that are related to privacy violations and some of them are class action suits; some are individual suits. You can’t sue for HIPAA violation, because that’s excluded in the law — so the actual suit is handled as either a consumer protection statute violation, or a federal trade statute violation.”

In the initial privacy regulations that went into effect in April 2003, a security portion was included, but the laws did not specify what healthcare facilities had to do, other than with regard to forms — authorization forms and notification forms, for example. “You have to have your staff undergo privacy training, and you would have to keep the information disclosed to the minimum necessary, and only disclose information to an authorized individual. That would be someone the patient authorized, unless the patient were unable to authorize because he was unconscious,” says Rosenbaum. “Actually, that’s led to some confusion. Some individuals have taken that literally, and they have an unconscious patient, and even in an emergency situation, weren’t talking to people about the patient. Things were taken to an extreme. I think a more rational approach to that privacy issue has taken hold.”

The easiest route for training, Rosenbaum says, is to hire a third party to provide staff training in the regulations, rather than providing it internally. “Then you can have testing of the individuals, whereas if it’s an informal training program — say the designated compliance officer is the office manager or one of the doctors in the facility, and just gives a talk — you really don’t have anything of substance. What was the level of teaching? What kind of course was it? It can be handled online or onsite, depending on the size of the facility or cost. Sometimes it’s cheaper to have a site visit if you have enough people, as opposed to having them all go online, and then provide testing. Following that, they would give some certification that these individuals were tested.”

HIPAA requires that transmission of code sets has to be done in a secure fashion if they’re being done electronically. “The government hasn’t implemented the regulations for that for two years, yet if one’s information is leaked during this transmission, or inappropriately taken by some unauthorized personnel with a security breach, there’s a privacy problem which occurs. So these three parts — privacy, security and transaction and code sets — although they’re three distinct rules and sets of legislation, they’re really interrelated. That’s why it really has to be treated as a unified package. You can get in trouble with any one of them,” Rosenbaum observes.

Although initial training is one important part, it’s not actually stated in HIPAA regulations, which simply imply that the facility maintain a “secure work force.” Rosenbaum explains, “We as a specific company do a formal background check, because that’s one of the weak links. You’ve got to have the most secure sophisticated computer system with firewalls and all kinds of password protections and encryption, but if you have someone behind the desk or at the computer who [isn’t trustworthy], they can take the information and do identity theft or sell health information.”

Other concerns include physical site security, such as ensuring that files and records are kept in locked file cabinets or a locked file room. “Also, fax machines must be kept in a secure location that’s locked, because after-hour faxes come in with lab results and reports,” Rosenbaum says. During the workday, those faxes could be seen by anyone passing by, including other patients.

“A lot of the regulations in HIPAA say that you should ‘secure the environment’ and a lot of it is open-ended, leaving it as a business decision,” Rosenbaum states. “However, if you have blatant disregard for regulations and security and there are complaints against your office, then an investigation will find you haven’t taken any steps, a violation of HIPAA, and then you’ll get fined. Fines start at $25,000 per occurrence. It can be jail time if fraudulent use is involved.”

Facilities must consider their business associates as well — anyone with whom they contract. This includes cleaning personnel, transcription companies, or anything else that is outsourced, such as billing.

“We did a survey and found that 40 percent of doctors’ offices surveyed don’t secure their data transmissions at all,” Rosenbaum says. “There are no firewalls. A significant percentage didn’t have any password protection. Less than half of physicians did background checks. Nearly 30 percent didn’t have fax machines in locked locations.”

Not only that, but 36 percent of the physicians surveyed felt that just undergoing privacy training would make them HIPAA compliant. “What it boils down to is a total ostrich syndrome, with the head in the sand,” Rosenbaum says. “Doctors, doctor groups and facilities really aren’t ready for HIPAA. If you submit claims to Medicare or Medicaid electronically and you use an improper format after April 14, 2004, those claims won’t be paid. Then you have to resubmit them, and my experience  with resubmission of claims is that you’re lucky if you get them resubmitted and acted on in an active time period before they say it’s too late. Then the only redress is to the consumer, and the patient doesn’t want to pay. If you have participation with Medicare, you can’t bill the patient, so you lose the money. That’s why it’s important to get the transaction and codes training piece implemented and in place and trained and tested prior to April 14, 2004.”

Rosenbaum’s office is, of course, compliant with HIPAA. “Yet in our building, other surgeons are not compliant. I know they’re not,” he claims. “There have to be more multimillion dollar lawsuits settled in order to pique their interest.”

Part of the problem, he says, is that “a lot of the security implementation requirement is not until 2005, so implementation of some of these security measures is being put off because it costs some money. However, government has said you have to show a plan of action and a course of action taken by April of 2005. So you have to have some plan in place and start to do all the things you’re supposed to.”

Another third party vendor who can provide a range of services related to HIPAA compliance is accounting and financial services firm Bederson & Company LLP. Evan S. Zuckerman, CPA, is an expert on HIPAA and his firm offers help for both managing ongoing compliance and instituting compliance policies if they were not previously established.

“One of the biggest problems that we did see at the beginning is that nobody was even thinking about it or wanted to be compliant,” Zuckerman recalls. “There were no privacy notices. There were no policies and procedures in place. The problem now is that [they don’t have the] required forms that patients need to sign for release of personal health information. If you’re a longstanding client, you might say, ‘Oh, please send it to my mother,’ and they’ll just send it to the mother without having a form in place.”

Asked how he convinces his clients to become compliant, Zuckerman says, “I remind them about the penalties and that helps, because that’s a bottom line dollar to their pocketbook. Once they tell their staff to be more conscious, then it all trickles down.”

In many cases, Zuckerman says, “I seem to see that the smaller the practice, the less compliant they are. The larger the organization, the more physicians, the more compliance I see across the board.”

With a sole practitioner, he explains, “He’s more concerned with bringing revenue in the door [and has] delegated that responsibility out, or he doesn’t have a very big office staff knowledgeable in the industry. The more revenue that’s being generated, the more you can pay office staff and get more knowledgeable people there.”

HIPAA compliance extends throughout the office, Zuckerman points out. “The front desk needs to understand what has to be filled out by patients, what to do when they get a request for information, whether they’re allowed to give it out or not. The administrative side has to understand how to operationally put it into effect.”

Training is integral to proper implementation. “Putting a book up on the shelf with your policies and procedures doesn’t do anything,” Zuckerman says. “Your staff has to understand what’s in that book. I suggest you sit down one evening over a pizza and actually go through each policy and procedure and explain what it’s for and how to put it into effect.”

Often, Zuckerman’s clients will send office managers to national conferences to learn about compliance, then return to the office to train the staff. “If you have a very good person who can do that, definitely do that, but if you’re not confident in your staff, bring in a specialist from outside to do it,” he observes.

“Our approach is to work with experts in the field, such as HIPAA consultants, or experts in a healthcare institution,” says Jeff McCormack, PhD, chief learning officer at DigiScript. DigiScript is an e-learning solutions and services provider; they work with educators and digitally archive that content so it can be offered on the Internet or on a CD-based platform.

“HIPAA touches so many aspects. If an audit is being conducted, auditors are impacted by HIPAA. They have access to confidential information; what they do with that information is critical. [They might have access to] what tests were run. If there is some kind of billing service, there is the transfer of bills for some type of test to a payor,” he explains.

“Consultants are typical in a healthcare institution; they will have access to confidential information. Endoscopy has equipment maintenance personnel. I don’t know about all the devices endonurses use, but I know there are lots of different medical devices, and those things have to be serviced. In some cases — if there are databases with electronic information on a file — those service personnel have access to that information,” he observes.

It is critical that some type of policy be put in place for training, McCormack stresses. “Especially for someone who has day-to-day access to that information, they must be trained appropriately and there must be documentation that they’ve been trained.”

McCormack continues, “Within a healthcare institution, especially if there has been a breach of confidentiality and private information has been released to the public or to an individual, there should be documentation that they had a training program in place, and that the individual did receive that training before they allowed that information to be released. It protects the institution,” he says.

However, he adds, “HIPAA established general guidelines and allowed each institution to determine how they’re going to approach it. The law specifies that they need to be trained.” It is left to the institution to determine how the training is to be delivered. It can include classroom training, a form to sign off on, a notebook to read, or an online resource.

McCormack’s company specializes in online offerings and digital content. “For large institutions with multiple facilities around the United States or around the globe, a standard, consistent method for training that’s very cost-effective is online training,” he points out. This ensures that the message is consistent across the board.

Otherwise, McCormack says, you “train the trainers and hope they say what you told them to say, unless you have a single trainer to whom everyone has access. Smaller institutions may not be able to justify having an online format.

There are a number of off-the-shelf HIPAA training programs and a number of consultants.” “There is a lot more to HIPAA than just the hospital. This includes anyone handling confidential healthcare information — billing services, insurance payors — and touches a lot of different aspects,” he adds.